Should we verify minimal dependency versions

Question

Should we verify minimal dependency versions

epage opened this issue 5 years ago · 6 comments

cargo has an unstable flag to calculate dependencies using the minimum rather than the maximum version. This verifies that Cargo.tomls are not stale.

Answer 1 · 2019-07-15T14:39:54.000Z

The downside is the brittleness of dependencies if they aren't also verifying it.

Answer 2 · 2019-07-15T15:11:39.000Z

I think this should be an opt-in stage. Not sure what Rust version it should be run on (does it require nightly atm?).

Answer 3 · 2019-07-15T15:19:17.000Z

I think you can use unstable flags without nightly but I'm unsure. I at least do it with libtest's json output.

Answer 4 · 2019-07-15T15:19:53.000Z

As for best practices, I am unsure. I've seen discussions around this but haven't adopted it myself (yet). I've been tempted to adopt it due to minrust issues.

Answer 5 · 2019-07-28T16:03:58.000Z

Relevant: rust-lang/api-guidelines#123

Answer 6 · 2020-01-20T18:47:26.000Z

Closing this in favor of #78.